Data Processing Addendum

Customer is data controller (or processor acting for its own controller). QEHS is data processor for customer data, and sub-processor for any onward processors customer engages.

QEHS processes customer data only on documented instructions: (a) to provide the service, (b) to comply with law, or (c) as expressly authorised in writing.

Listed at qehsethos.com/trust/subprocessors. 30-day prior notice of changes; customer may object on reasonable data-protection grounds.

Transfers from the EEA, UK, or Switzerland rely on the EU SCCs (2021/914) and UK IDTA as appropriate. Supplementary measures documented in the Transfer Impact Assessment available on request.

Technical and organisational measures are described in Annex II and the Trust Center. Customer may audit once per year with reasonable notice, or rely on SOC 2 Type 2 / ISO 27001 reports.

QEHS notifies customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting customer data.